Interpreting  Strands  in  Linear  Logic*' 


I.  Cervesato 
ITT  Industries 
iliano@itd.nrl.navy.mil 


N.  Durgin 

Stanford  University 
nad@cs.stanford.edu 


M.  Kanovich,  A.  Scedrov 
University  of  Pennsylvania 
{maxkanov,  scedrov } @math . upenn.edu 


Abstract 

The  adoption  of  the  Dolev-Yao  model,  an  abstraction  of  se¬ 
curity  protocols  that  supports  symbolic  reasoning,  is  respon¬ 
sible  for  many  successes  in  protocol  analysis.  In  particular, 
it  has  enabled  using  logic  effectively  to  reason  about  pro¬ 
tocols.  One  recent  framework  for  expressing  the  basic  as¬ 
sumptions  of  the  Dolev-  Yao  model  is  given  by  strand  spaces, 
certain  directed  graphs  whose  structure  reflects  causal  inter¬ 
actions  among  protocol  participants.  We  represent  strand 
constructions  as  relatively  simple  formulas  in  first-order  lin¬ 
ear  logic,  a  refinement  of  traditional  logic  known  for  an  in¬ 
trinsic  and  natural  accounting  of  process  states,  events,  and 
resources.  The  proposed  encoding  is  shown  to  be  sound  and 
complete.  Interestingly,  this  encoding  differs  from  the  mul¬ 
tiset  rewriting  definition  of  the  Dolev-  Yao  model,  which  is 
also  based  on  linear  logic.  This  raises  the  possibility  that  the 
multiset  rewriting  framework  may  differ  from  strand  spaces 
in  some  subtle  way,  although  the  two  settings  are  known  to 
agree  on  the  basic  secrecy  property. 

1  Introduction 

In  recent  years,  a  variety  of  methods  have  been  developed 
for  analyzing  and  reasoning  about  protocols  based  on  cryp¬ 
tographic  primitives.  Although  there  are  many  differences 
among  these  proposals,  most  current  formal  approaches  use 
the  so-called  “Dolev-Yao”  model  of  adversary  capabilities, 
which  appears  to  be  drawn  from  positions  taken  in  [34]  and 
from  a  simplified  model  presented  in  [11].  In  this  idealized 
setting,  a  protocol  adversary  is  allowed  to  nondeterministi- 
cally  choose  among  possible  actions.  Messages  are  composed 
of  indivisible  abstract  values,  not  sequences  of  bits,  and  en¬ 
cryption  is  modeled  in  an  idealized  way.  The  adversary  may 
only  send  messages  comprised  of  data  it  “knows”  as  the  re¬ 
sult  of  overhearing  past  transmissions. 

The  Dolev-Yao  abstraction  makes  symbolic  reasoning 
about  crypto-protocols  a  viable  approach.  This  observation 
has  materialized  in  a  number  of  successful  analyses  that  use 
model  checking  [29,  33,  38]  and  on  several  proposals  based 
on  logic,  the  quintessential  tool  of  symbolic  reasoning  [4,  35]. 
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One  recent  setting  for  stating  the  basic  assumptions  of 
the  Dolev-Yao  model  is  given  by  strand  spaces  [13,  14,  39]. 
Roughly,  a  strand  is  a  linearly  ordered  sequence  of  events 
that  represents  the  actions  of  a  protocol  participant.  A 
strand  space  is  a  collection  of  strands,  equipped  with  a 
graph  structure  generated  by  causal  interaction  among  par¬ 
ticipants.  This  is  closely  related  to  Lamport’s  notion  of 
causality  in  distributed  systems  [21],  and  a  clear  instance  of 
Mazurkiewicz’s  definition  of  trace  within  concurrency  the¬ 
ory  [31].  Prior  to  a  run  of  the  protocol,  each  principal 
chooses  certain  data  to  be  used  in  the  protocol,  such  as 
keys  or  nonces. 

In  contrast,  a  formal  definition  of  the  Dolev-Yao  model 
in  terms  of  multiset  rewriting  with  existential  quantification, 
MSR  [6,  7,  12],  allows  new  values  such  as  keys  and  nonces  to 
be  chosen  at  any  time  during  the  protocol  run,  as  the  need 
for  new  choices  arises.  In  this  formalism,  a  way  of  choos¬ 
ing  new  values  is  provided  by  the  proof  rules  of  existential 
quantification.  The  MSR  formalism  has  been  incorporated 
into  a  high-level  specification  language  for  authentication 
protocols,  CAPSL  [10]. 

In  [7],  we  established  a  substantial  equivalence  of  the 
MSR  and  strand  space  formalisms.  We  introduced  a  suit¬ 
able  abstraction  of  strand  configurations  that  corresponds 
to  MSR  states,  and  showed  that  related  pairs  of  states  and 
configurations  are  equi-reachable.  This  is  relevant  for  se¬ 
curity  analysis  because  several  basic  properties  of  security 
protocols  ( e.g .  secrecy)  can  be  phrased  as  reachability  prob¬ 
lems.  However,  it  is  not  clear  that  all  relevant  properties  of 
security  protocols  can  be  phrased  in  terms  of  reachability. 
Thus  a  more  refined  analysis  of  the  MSR  and  strand  space 
formalisms  might  reveal  the  differences  between  the  two  for¬ 
malisms  in  regard  to  some  subtle  properties  of  protocols.  In 
this  paper,  which  may  be  seen  as  a  companion  to  [7],  we 
provide  some  preliminary  steps  in  this  direction. 

The  MSR  and  strand  space  formalisms  are  analyzed  here 
in  the  formal  setting  of  linear  logic  [16],  a  refinement  of 
modal  logic  with  an  intrinsic  and  natural  accounting  of  pro¬ 
cess  states  and  events.  The  choice  of  linear  logic  is  natu¬ 
ral  because  of  the  very  close  connection  between  multiset 
rewriting  and  simple  fragments  of  linear  logic,  which  has 
been  studied  extensively  [3,  30,  15,  19,  5].  We  extend  this 
standard  correspondence  to  include  first-order  parameters 
and  existentially  quantified  variables. 

On  the  other  hand,  we  also  formally  represent  strand 
constructions  as  relatively  simple  formulas  in  first-order  lin¬ 
ear  logic.  This  encoding  is  also  shown  to  be  sound  and 
complete.  As  in  our  previous  work  on  multiset  rewriting 
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specifications  of  security  protocols  [6,  7,  12],  the  proof  rules 
of  existential  quantification  provided  a  way  of  choosing  new 
values,  such  as  nonces  or  keys.  However,  the  linear  logic 
interpretation  introduced  here  maintains  the  strand  space 
intuition  that  nonces  are  chosen  before  the  protocol  is  run. 
Let  us  note  that  this  encoding  differs  from  the  standard  lin¬ 
ear  logic  representation  of  multiset  rewriting.  This  raises 
the  possibility  that  the  multiset  rewriting  framework  may 
differ  from  strand  spaces  in  some  subtle  way. 

Linear  logic  has  found  applications  in  numerous  areas 
of  Computer  Science,  and  it  has  concrete  prospects  of  in¬ 
fluencing  the  field  of  security  protocol  analysis  in  a  sim¬ 
ilar  way.  As  a  specification  language,  linear  logic  has 
been  used  to  provide  elegant  and  effective  representations 
of  many  systems  that  share  characteristics  with  crypto¬ 
protocols  [8,  9,  17,  18].  The  natural  embedding  of  concurrent 
systems  in  linear  logic  [15,  20],  in  particular  in  its  graph- 
based  presentations  [16],  is  also  likely  to  be  relevant,  given 
the  interpretation  of  security  protocols  as  concurrent  sys¬ 
tems  [1,  40].  Work  on  meta-reasoning  in  linear  logic  [32] 
promises  to  address  protocol  correctness  [4,  35]  effectively 
and  efficiently.  Finally,  some  of  the  theoretical  results  lin¬ 
ear  logic  has  brought  about  ( e.g .  complexity  issues  [23])  are 
expected  to  yield  a  better  understanding  of  the  most  funda¬ 
mental  aspects  of  security  protocols  [12]. 

This  paper  is  organized  as  follows:  Section  2  recalls  the 
notion  of  strand  and  reachability  between  strand  configura¬ 
tions;  Section  3  provides  some  background  on  linear  logic; 
Section  4  describes  the  translation  of  strand  constructions 
into  linear  logic,  while  in  Section  5  we  prove  soundness  and 
completeness  theorems  that  relate  strand  reachability  and 
linear  logic  derivability  for  their  translation.  In  Section  6, 
we  compare  these  results  with  the  translation  of  the  multiset 
rewriting  specifications  of  a  security  protocol  in  linear  logic. 

2  Parametric  Strands 

In  this  section,  we  recall  first  the  notions  of  strand  spaces 
and  bundles  [13,  39],  and  then  recent  extensions  aimed  at 
capturing  protocol  execution  at  the  level  of  strands  [7]. 

An  event  is  a  pair  consisting  of  a  message  m  and  an 
indication  of  whether  it  has  been  sent  (+m)  or  received 
(— m)  [13].  A  strand  is  a  finite  sequence  of  events.  We  indi¬ 
cate  strands  with  the  letter  s,  the  length  of  a  strand  as  |s|, 
and  its  i-th  event  as  Si  (for  i  =  1 . . .  |s|).  A  strand  s  is  there¬ 
fore  a  chain  graph  (5,  ==>•),  where  S  =  {s,  :  i  =  1 . .  .  |s| }, 
moreover  s,  =>•  Sj  iff  j  =  i  +  1,  and  finally  the  nodes  Si  are 
labeled  with  events. 

A  strand  space  is  a  set  of  strands  with  an  additional 
relation  ( — »)  on  the  nodes,  such  that  if  — >  122,  then 
v\  =  +m  and  V2  =  —m;  — >•  represents  the  transmission 
of  the  message  m  from  the  sender  v\  to  the  receiver  v2 .  A 
strand  space  is  therefore  a  graph  with  two  types  of  arrows, 
a  bi-graph  using  the  terminology  in  [7],  a  =  (S,  =^, — >) 
with  the  above  restriction  on  — ».  Given  such  <r,  we  will 
sometimes  write  Sa,  =>CT,  and  — for  S,  =>,  and  — > 
respectively. 

Let  S+  and  S~  indicate  the  set  of  positively-  and 
negatively-labeled  nodes  in  S  respectively.  A  bundle  [13,  7] 
(see  also  [21])  is  a  strand  space  a  =  ( S ,  =^,  — >•)  such  that 
the  bipartite  graph  (S+ , S~ , — >)  is  functional  (a  positive 
node  has  at  most  one  outgoing  — >-edge),  injective  (a  nega¬ 
tive  node  has  at  most  one  incoming  — s-edge),  and  surjective 
(a  negative  node  has  at  least  one  incoming  — >-edge),  and 


(=>•  U  — >)  is  acyclic  [7].  In  terms  of  protocols,  the  first 
three  constraints  imply  that  a  message  is  sent  to  at  most  one 
recipient  at  a  time,  no  message  is  received  from  more  than 
one  sender,  and  every  received  message  has  been  sent,  re¬ 
spectively.  Dangling  positive  nodes  correspond  to  messages 
in  transit.  Therefore,  a  bundle  represents  a  snapshot  of  the 
execution  of  a  protocol. 


We  now  build  on  these  accepted  definitions  and  present  a 
strand-based  language  for  the  specification  of  protocols  and 
of  their  execution.  The  interested  reader  may  consult  [7]  for 
further  details. 

Data  such  as  the  identity  of  principals  and  their  long¬ 
term  keys  often  constitute  the  stage  on  which  the  execution 
of  a  protocol  takes  place,  and  does  not  change  as  it  un¬ 
folds.  We  represent  and  access  this  persistent  information 
through  a  fixed  multiset  n  of  ground  atomic  formulas  with 
distinguished  persistent  predicates  (e.g.  PubK  and  PrvK)  [7]. 

A  role  is  modeled  as  a  parametric  strand:  a  strand  where 
the  messages  may  contain  variables.  An  actual  strand  is 
obtained  by  instantiating  all  the  variables  in  a  parametric 
strand  (or  an  initial  segment  of  one)  with  persistent  infor¬ 
mation  and  actual  message  pieces.  A  parametric  strand  for 
the  role  p  may  look  as  in  Figure  1.  The  freshness  of  n, 
i.e.  the  fact  that  the  variables  n  should  be  instantiated  with 
“new”  constants  that  have  not  been  used  before,  is  expressed 
as  a  side  condition.  Using  the  terminology  in  [13,  39],  the 
values  n  are  uniquely  originated.  The  relationship  between 
variables  are  expressed  in  [39]  using  intuitive  notation,  e.g. 
k_1  for  the  inverse  key  of  k,  or  kA  for  the  public  key  of  A. 
We  formalize  these  relations  by  equipping  p  with  constraints 
7r(a?),  that,  without  loss  of  generality,  will  be  a  set  of  persis¬ 
tent  atomic  formulas  parameterized  over  x.  In  this  paper,  it 
is  convenient  to  equip  each  parametric  strand  with  an  initial 
node  labeled  with  T  and  an  ending  node  labeled  _L.  This 
addition  is  discussed  at  length  in  [7]. 

A  protocol  is  given  as  a  set  of  roles.  The  model  of  the 
intruder  in  the  style  of  Dolev  and  Yao  [11,  34]  is  also  spec¬ 
ified  as  a  set  of  parametric  strands  V(Po)  called  penetrator 
strands ,  where  Po  is  the  intruder’s  initial  knowledge  [7,  39]. 
As  an  example,  Figure  2  shows  how  the  Needham-Schroeder 
public  key  protocol  is  modeled  using  parametric  strands, 
where  we  have  used  incoming  and  outgoing  arrows  instead 
of  the  tags  +  and  —  for  readability.  We  ask  the  reader  to 


2 


Initiator( JOt ,  KA 1 ,  KB ,  NA ,  NB ) 


Responder(KB ,  K g1 ,  K a,  Nb ,  N a) 


Na  fresh,  ■ka{Ka,Ka1,Kb) 


Nb  fresh,  nB{KB,KBl,KA) 


T 

Q(go) 

' 

{Na,Ka}kb 

Q(?l) 

{Na,  Nb}ka 
Q(Q2) 
{Nb}kb 
stop 


1 


T 

Q(«o) 

' 

{Na  )  7Ci}a'b 

QK) 

"v* 

{^,Wb}a-a 

Qfaa) 

{1Vb}ab 
stop 
_L 


where  tt  a(Ka,Ka\Kb)  =  PubK(KA),  PrvK(KA ,  KA  1 ) ,  PubK  (KB) 
7T b(Kb,K~1,Ka)  =  PubK(KB),  PrvK (KB ,  KB 1 ) ,  PubK(KA) 


Figure  2:  Extended  Strand  Specification  of  Needham-Schroeder 


ignore  the  shaded  annotations  on  the  =>-edges  for  the  mo¬ 
ment. 

These  definitions  allow  us  to  specialize  the  bundles  we  are 
looking  at:  given  a  set  of  parametric  strands  5,  every  strand 
in  a  bundle  <r  should  be  an  initial  prefix  of  an  instantiated 
protocol  (or  penetrator)  strand.  We  are  interested  in  initial 
prefixes  since  a  bundle  is  a  snapshot  of  the  execution  of 
a  protocol,  and  a  particular  role  instance  may  be  halfway 
through  its  execution.  We  then  say  that  a  is  a  bundle  over 
S. 

We  will  now  give  a  few  definitions  needed  to  emulate  the 
execution  of  a  protocol  with  parametric  strands.  First,  ob¬ 
serve  that  the  network  traffic  in  a  bundle  is  expressed  in 
terms  of  events  and  of  the  — >  relation.  The  edges  of  — > 
represent  past  traffic:  messages  that  have  been  sent  and  suc¬ 
cessfully  received.  The  dangling  positive  nodes  correspond 
to  current  traffic:  messages  in  transit  that  have  been  sent, 
but  not  yet  received.  We  will  call  these  nodes  the  fringe  of 
the  bundle  (or  strand  space).  More  formally,  given  a  strand 
space  a  =  (S,=>,  — >),  its  fringe  is  the  set 

Fr(cr)  =  {v  :  v  €  S,  v  =  +m ,  and  jzf/A  v  — >  i/}. 

Another  component  of  the  execution  state  of  a  protocol 
is  a  description  of  the  actions  that  can  legally  take  places  in 
order  to  continue  the  execution.  First,  some  technicalities. 
Let  a  be  a  bundle  over  a  set  of  parametric  strands  S,  a 
completion  of  a  is  any  strand  space  a  that  embeds  a  as  a 
subgraph,  and  that  extends  each  incomplete  strand  in  it  with 
the  omitted  nodes  and  the  relative  =>-edges.  If  s  is  a  strand 
in  a  and  s  is  its  extension  in  <f,  the  sequence  obtained  by 
removing  every  event  in  s  from  s  is  itself  a  (possibly  empty) 
strand.  We  call  it  a  residual  strand  and  indicate  it  as  s  \  s. 
We  then  write  <f  \  a  for  the  set  of  all  residual  strands  of  <f 
with  respect  to  a. 

Given  these  preliminary  definitions,  a  configuration  over 
5  is  a  structure  (a,  a^) E  where  a  is  a  bundle  over  S,  and  a **  is 
an  extension  of  a  whose  only  additional  — hedges  originate 
in  Fr(cr),  cover  all  of  Fr(cr),  and  point  to  <r3  \  a,  and  finally 
the  signature  E  lists  all  the  symbols  that  appear  in  <rJ  (and 
a). 


We  define  the  notion  of  one-step  transition  between 
two  configurations  and  (<T2,<T2)s2:  written 

(<Ti,  <t})Ei  (<72,  ,  by  means  of  four  rules  that  we 

call  Cf,  Ci,  S  and  R.  For  the  sake  of  conciseness,  we  limit 
ourselves  to  an  intuitive  presentation  based  on  the  following 
sketches.  A  formal  definition  can  be  found  in  [7]. 


S  v’ 

• 

J  s“\s 

V 

V " 

(+m) 

(-m) 

The  move  o  that  labels  the  transition  arrow  i — >s  records  the 
necessary  information  to  reconstruct  the  transition  uniquely. 

Rule  Cf  describes  the  instantiation  of  a  parametric 
strand  p(x,  n )  with  a  substitution  £  for  all  its  variables  that 
are  marked  “fresh”  (n).  The  substituted  constants  must  be 
distinct  from  each  other  and  from  any  other  value  appear¬ 
ing  in  a\.  Rule  Ci  realizes  the  second  stage  of  instantiation: 
it  applies  a  substitution  6  to  the  remaining  variables  x  of 
a  partially  instantiated  strand  p[£],  checks  that  the  atomic 
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formulas  resulting  from  instantiating  the  constraints  w(x)  of 
p  with  8  satisfy  II,  and  install  its  initial  node  T  in  a\  to 
produce  a2-  We  must  perform  instantiation  in  two  stages 
to  handle  protocols  where  two  parties  exchange  newly  pro¬ 
duced  nonces  as  in  the  Needham-Schroeder  protocol  in  Fig¬ 
ure  2. 

The  remaining  rules  deal  with  message  transmission  and 
reception  once  a  strand  has  been  installed  in  the  configura¬ 
tion.  In  particular,  v,  v'  and  v"  are  nodes  on  fully  instanti¬ 
ated  strands.  Rule  S  models  the  action  of  sending  a  message: 
if  the  configuration  at  hand  embeds  a  strand  that  is  not  fully 
contained  in  the  bundle  part  <ti  and  the  first  missing  node 
v  is  positive,  we  add  an  — >- arrow  to  a  matching  negative 
node  v"  and  include  v  in  <72-  Receiving  a  message  is  mod¬ 
eled  by  rule  R:  if  (<ri,crf)Sl  mentions  a  strand  that  is  not 
fully  contained  in  its  bundle  part  and  its  first  missing  node 
v  has  an  incoming  — >-edge,  we  add  it  to  the  bundle. 

A  multistep  transition  amounts  to  chaining  zero  or  more 
one-step  transitions.  This  relation  is  obtained  by  taking  the 
reflexive  and  transitive  closure  1-^5  of  1 -^s,  where  o  is  the 
sequence  of  the  component  moves  ( if  empty),  ois  a  trace 
of  the  computation. 

Our  definition  of  transition  preserves  configurations,  i.  e. 
if  (<ri,  <rf  )El  is  a  configuration  and  (01,  erf  )Sl  <t|)e  1 

then  (<T2,<t|)s„  is  also  a  configuration.  Moreover,  Si  C  S2. 
These  properties  extend  to  multistep  transitions. 


3  Elements  of  Linear  Logic 


The  target  of  our  interpretation  of  strand  constructions  will 
be  a  sublanguage  of  linear  logic  [16].  We  choose  this  formal¬ 
ism  over  more  traditional  logics  because  of  its  interpretation 
of  formulas  as  consumable  resources.  This  provides,  for  ex¬ 
ample,  a  simple  way  of  modeling  the  fact  that  receiving  a 
message  makes  it  unavailable  to  other  recipients  (unless  fur¬ 
ther  actions  are  taken). 

This  language,  a  fragment  of  first-order  multiplicative  ex¬ 
ponential  linear  logic  to  be  precise,  is  given  by  the  following 
grammar: 


I  1 

|  Ai  0  A  2 
|  Ai  — o  A  2 
j  Vx.  A 
|  3a;.  A 


Atomic  formulas 
Multiplicative  unit 
Multiplicative  conjunction 
Linear  implication 
Universal  quantification 
Existential  quantification 


P  ::=  N(m) 

|  PubK{k)  |  ... 

I  Q(g) 

|  stop 


Message  in  transit 
Persistent  information 
Intermediate  step 
Role  completion 


We  use  messages  and  their  constituents  as  the  basis  of  the 
term  language  of  our  formulas,  as  described  in  [7].  We  rely 
on  the  unary  predicate  symbol  N  to  hold  messages  being 
exchanged,  and  we  maintain  the  syntax  we  glimpsed  at  in 
the  previous  section  for  persistent  information.  Atoms  of  the 
form  Q(q)  identify  uniquely  the  intermediate  =>-edges  in  a 
configuration  (see  Section  4).  Finally,  the  atomic  constant 
stop  will  indicate  the  completion  of  a  strand. 

The  connectives  we  will  need  are  0,  known  as  multi¬ 
plicative  conjunction,  the  constant  1  ( multiplicative  unit), 
— o  or  linear  implication,  and  the  usual  quantifiers.  A  re¬ 
source  A 1  0  A2  consists  of  the  sum  of  parts  A\  and  A2, 


while  A\  — o  A2  realizes  resource  A2  subject  to  the  avail¬ 
ability  of  A\  while  consuming  A\  itself  (this  implements 
therefore  the  notion  of  transition).  When  instantiating 
quantifiers,  we  write  [t/x]A  for  the  capture-free  substitu¬ 
tion  of  term  t.  for  variable  x  in  formula  A.  We  abbreviate 
[ti/xi\(\t.2/x2\(. . .  [tn/xn\A))  as  [ti/xi, . . .  ,tn/xn]A. 

Contexts  are  finite  multisets  of  comma-separated  formu¬ 
las.  The  empty  context  is  denoted  We  will  use  the 
letter  ,  and  A,  possibly  subscripted,  to  indicate  contexts. 
A  signature  E  is  a  list  of  constants. 

The  derivability  judgments  we  will  rely  upon  are  sequents 
of  the  form  [17]: 

,  ;  A  hs  A 

where  the  formulas  in  ,  and  A  are  the  resources  available 
to  produce  the  formula  A.  While  the  elements  in  A  shall 
be  used  exactly  once,  the  resources  in  ,  can  be  exploited 
arbitrarily  many  times,  possibly  zero.  This  convenient  two- 
context  formulation  [17]  is  rewritten  as  a  more  common 
single-context  sequent  by  augmenting  A  with  the  result  of 
prefixing  every  formula  in  ,  with  the  exponential  modality 
“!”  [16].  The  signature  E  lists  all  the  constants  mentioned 
in  the  sequent.  Although  usually  omitted  in  presentations 
of  (linear)  logic,  it  simplifies  our  treatment  of  nonces. 

The  relevant  inference  rules  for  this  language  are  dis¬ 
played  in  Figure  3.  The  rules  on  the  left-hand  side  are  called 
multiplicative.  Rule  id  will  be  used  at  the  leaves  of  a  deriva¬ 
tion:  it  specifies  that  an  object  A  can  be  trivially  produced 
from  A  itself  (the  formulas  in  ,  are  ignored).  Notice  that 
no  excess  resources  are  admitted.  Rule  — ol  specifies  how 
to  use  a  resource  Ai  -o  A2  to  build  an  object  C:  if  A\  can 
be  produced  using  part  of  the  context  ( Ai ) ,  then  A2  and 
what  remains  of  the  context  (A2)  are  available  to  produce 
C.  Rule  01  states  that  a  composite  resource  can  be  bro¬ 
ken  to  make  its  components  individually  available,  while  0r 
specifies  that  A\  0  A2  is  produced  by  building  its  parts  in¬ 
dependently.  The  constant  1  is  the  non-resource:  it  does  not 
contribute  to  a  goal  (rule  11)  and  does  require  any  resource 
to  be  established  (rule  lr).  Rule  cut  permits  constructing 
an  object  in  stages:  in  order  to  obtain  C,  one  can  first  build 
A  with  some  of  the  available  resources,  and  then  use  A  to 
achieve  C.  Since  C  can  always  be  produced  directly  from  the 
original  resources,  this  rule  is  effectively  redundant,  which 
we  emphasize  by  displaying  it  in  a  shaded  font. 

The  right-hand  side  of  Figure  3  shows  rule  dl  (derelic¬ 
tion),  which  makes  a  copy  of  a  formula  A  in  ,  available  in 
A,  and  the  rules  concerning  the  quantifiers.  Observe  that 
the  existential  quantifiers  in  the  context  A  are  instantiated 
with  new  constants  (rule  31),  which  we  record  in  the  sig¬ 
nature  E.  In  the  right-hand  side  of  the  turnstile  (rule  3r), 
these  quantifiers  have  instead  the  function  of  hiding  the  use 
of  these  newly  introduced  constants.  Notice  that  they  are 
instantiated  with  constants  from  E  rather  than  with  arbi¬ 
trary  terms:  this  is  sufficient  for  our  purposes.  Instead,  we 
allow  universally  quantified  variables  to  be  instantiated  with 
arbitrary  terms  (rule  VI). 

4  Strands  in  Linear  Logic 

We  will  now  describe  the  translation  of  parametric  strands 
and  configurations  into  the  fragment  of  linear  logic  we  just 
discussed.  We  shall  emphasize  that  this  encoding  does  not 
treat  penetrator  strands  differently  from  regular  protocol 
strands  in  any  way.  This  adheres  to  the  strand  philosophy, 


4 


Multiplicatives 


,  ;  Ai  hE  A  ,  ;  A2 ,A  hE  C 

-  id  - cut 

,  ;  A  hs  A  ,  ;  Ai,A2  Hs  C 

,  ;  Ai  hs  Ai  ,  ;  A2,^2  hs  C 

-  — o  1 

,  ;  Ai,A2,^4i  —0A2  \s  C 

,  ;  AjAi,^  Hs  C  ,  ;  Ai  hs  Ai  ,  ;  A2  l~s  A2 

-  ®  1  -  0  r 

,  ;  A,Ai  (g)  A2  Hs  C  ,  ;  Ai,A2  l~s  A\  <g)  A2 

,  ;  A  bs  c 

-  11  -  lr 

,;A,lhsC  ,  ;  ■  1 


Exponentials  and  quantifiers 

,  ,  A;  A,  A  hE  C 

- dl 

,  ,A;  A  hE  C 

,  ;  A,  [t/x]A  hE  C 

- vi 

,  ;  A,  Vs.  A  hE  C 

,  ;  A,[c/*]A  hEj0  C  ,  ;  A  hE:0  [c/x]A 

- 31  (*)  - 3r 

,  ;  A,  3®.  A  hE  C  ,  ;  A  hE]C  3 x.A 


(*)  c  not  in  £ 


Figure  3:  Relevant  Rules  of  Linear  Logic 


and  contrasts  with  other  approaches  which  syntactically  dif¬ 
ferentiate  the  intruder  model  ( e.g .  [6]). 

Let  p(n,  x,  y)  be  a  parametric  strand  with  constraints  “ft 
fresh,  7 t(x)"  .  Let  so,  si, . . . ,  sn,  s„+i  be  the  nodes  of  p ,  with 
so  =  T,  sn+i  =  _L,  and  for  i  =  0..n,  s,  =>-  s,+i.  We  define 
the  encoding  of  node  s,  (for  i  =  0..n  +  1),  written  rSin,  as 
follows: 

rs„+i'1  =  stop 

rsp  =Q(g,-i)  0  (Q(qi-i)  0  N(m)  rs,:+i'1) 

if  Si  =  —m 

rsP  =  Q(gi-i)  0  (Q(gi-i) N(m)  0  rsi+i'1) 

if  Si  =  +m 

rson  =  <8>x(x)  —o  0 7r(a?)  0  rsin 

where,  given  a  multiset  of  formulas  A,  0A  is  the  formula 
obtained  by  taking  the  multiplicative  conjunction  of  very 
element  of  A.  For  i  =  l..n,  rs,:"1  expresses  the  action  in  s; 
by  placing  the  sent  (received)  message  m  in  the  consequent 
(resp.  antecedent)  of  the  implication.  Rule  — ol  will  have  the 
effect  of  inserting  (resp.  removing)  N(m)  into  (resp.  from) 
the  context  A.  Notice  that  its  application  will  also  insert 
rSin  into  A,  enabling  in  this  way  the  next  action.  This 
technique  is  known  as  continuation-passing  style  in  the  pro¬ 
gramming  language  community. 

The  arguments  of  the  conjuncts  Q(qo),  ■  ■  ■ ,  Q(qn-i )  are 
distinct  variables.  It  is  convenient  to  interpret  them  as  labels 
for  the  =^-edges  of  p ,  as  shown  in  Figure  2.  The  last  ar¬ 
row,  leading  to  sn+i  =  -L,  is  instead  labeled  with  the  propo¬ 
sitional  letter  stop.  These  atoms  serve  multiple  purposes: 
first  they  provide  a  way  to  preserve  the  order  of  consecutive 
message  transmissions  or  receptions,  which  may  prove  im¬ 
portant  for  some  applications;  second  their  presence  greatly 
simplifies  our  proofs  as  they  implement  the  “locks  and  keys” 
technique  [23],  which  has  yielded  faithful  representations  of 
various  computational  paradigms  in  linear  logic  [22,  23,  24]; 
third,  they  are  a  crucial  device  for  bridging  the  gap  with 
the  multiset  rewriting  specification  of  a  protocol  [7].  Were 
these  reasons,  in  particular  the  first  one,  to  fall,  a  simpler 
encoding  can  be  achieved  by  replacing  the  Q(g;)’s  and  stop 
with  the  linear  logic  constant  1. 

The  encoding  of  p  is  achieved  by  appropriately  quantify¬ 
ing  the  free  variables  in  rson: 

rpn  =  3 q0, . .  .  ,qn-i.3ft.\/x,  y.  rs0"1 

Existentially  quantifying  the  qi  s,  as  well  as  n,  guarantees 
that  they  will  be  instantiated  with  constants  distinct  from 


any  other  value  in  use.  Applying  this  encoding  to  the 
Needham-Schroeder  protocol  specified  in  Figure  2  yields  the 
linear  logic  formulas  in  Figure  4. 

In  order  to  define  the  encoding  of  a  configuration,  we 
need  to  extend  this  notation  to  partially  and  fully  instanti¬ 
ated  strands.  Let  £  be  a  substitution  for  the  “fresh”  variables 
n  of  p.  Then 

r/°[£r  =  [5,  uo/qo,  ■  ■  ■  ,un-i/qn-i]Vx,y.rs0n, 

where  uo,  ■  ■  ■  ,un-i  are  distinct  constants.  If  furthermore  8 
is  a  substitution  for  the  remaining  variables  x,  y  of  p,  we 
define 

rp[C,  flp  =  [fl]([f,  Uo/qo,  ■■■,  Un-./qn-^so^). 

Observe  that  8  can  mention  some  of  the  constants  newly 
introduced  by  £.  We  extend  the  notation  rs,:"1,  for  i  =  0..n  + 
1,  to  the  case  where  s,:  is  a  node  in  a  fully  instantiated  strand 
(clearly,  the  qi' s  will  have  been  replaced  with  m's). 

We  shall  now  encode  configurations.  A  configuration 
(<r,  <tJ)s  comprises  three  types  of  information:  1)  an  account 
of  how  this  situation  has  been  reached  (as  a  and  the  strands 
in  crJ  that  have  been  instantiated,  but  not  yet  used);  2)  a 
description  of  the  current  situation  (in  Fr(cr));  and  3)  a  sum¬ 
mary  of  the  future  actions  that  can  be  performed  (in  ai\a). 
We  will  ignore  the  first  aspect  since  it  will  be  partially  cap¬ 
tured  through  the  notion  of  derivation.  The  representation 
of  Fr(<r)  will  simply  be  the  conjunction  of  the  messages  in  it 
(or  1  if  none  is  present): 

rFr(<j)"1  =  0  lN{m)  :  m  6  Fr(cr)]. 

where  we  write  j  for  the  multiset  equivalent  of  the  usual 
set  notation  {...}.  As  for  <rJ  \  <r,  we  take  the  conjunction  of 
the  representation  of  each  fully  instantiated  residual  strand 
in  it,  plus  the  representation  of  the  strands  that  are  only 
partially  instantiated: 

ra^  \  a"1  =  0  lrsi+in  :  s  =  p[£,  8\  in  a1, 

Si  €  as,  and  Si+i  €  o’!  \  as  j 

®<8lrp[€P  ■  P[£]  in  O’8]- 

For  the  sake  of  conciseness,  we  define  the  representation 
of  a  configuration  (a,  <r  )a  as 

r(<7,<7tl)5,' 1  =  rFr(<r, cr**)-1  0  r<r\<Tih. 
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3qo,qi,q2-3nA-VkA,k21,kB,n,B-  07Ta(&>i,  k^1,  Ab)  ®7Ta(&>i,  k^1,  fcs)  0  Q(go)  0( 

Q(go)  -°  N({t4,^}i-fl)  ®  Q(9i)  0( 

Q(gi)  ®  N({riA,njj}tA)  -o  Q (g2)  0( 

Q(g2)  N({7ib}j,b)  0stop))) 

3go,  51,52- 3  ns.  MkB^kg1  ,kA,nA-  07 i-b(&,b,  &a)  -°  07Ts(fcs,  fcjj1,  Au)  0  Q(go)  0( 

Q(go)  0  -O  Q(gi)  0( 

Q(g'i)  -o  Q(?2)  0  N({7iA,ns}fcA)  0( 

Q(9z)  0  N({nB}i.B)  -o  stop))) 


Figure  4:  Linear  Logic  Translation  of  the  Needham-Schroeder  Protocol 


We  will  make  the  encoding  we  have  just  presented  more 
concrete  by  means  of  an  example.  The  upper  part  of  Fig¬ 
ure  5  shows  a  configuration  (a,  <7® )  representing  an  initial 
stage  of  Lowe’s  attack  [26]  on  the  Needham-Schroeder  pro¬ 
tocol  in  Figure  2.  It  contains  six  strands:  an  initiator,  a 
responder,  and  one  instance  of  each  of  the  four  penetrator 
strands  M'  (access  to  the  intruder’s  initial  knowledge),  D 
(decryption),  M  (access  to  public  information)  and  E  (en¬ 
cryption).  A  detailed  discussion  of  penetrator  strands  can 
be  found  in  [7].  Constants  are  indicated  using  a  different 
font  than  variables  ( e.g .  nA  as  opposed  to  ha)-  In  this  con¬ 
figuration,  the  initiator  has  executed  its  first  action,  strands 
M'  and  D  have  been  completed,  strands  M  and  E  are  fully 
instantiated  but  still  have  to  execute  their  first  action,  while 
the  responder  strand  has  been  only  partially  instantiated. 
The  only  message  in  transit  (the  fringe)  is  (nA,  kA). 

The  second  box  in  figure  5  shows  the  encoding  of  (a,  a s) 
in  linear  logic.  Observe  that,  whenever  the  border  between 
a  and  <r3  \  a  crosses  an  active  strand,  the  atomic  formula 
Q(uf)  corresponding  to  the  intersected  ==>-edge  appears  as 
a  conjunct  in  ra **  \<rn.  Similarly,  each  terminated  strand 
contributes  an  occurrence  of  stop.  The  residual  of  every 
active  strand  yields  a  formula  with  implications.  Finally, 
notice  that  the  representation  of  the  partially  instantiated 
responder  strand  accounts  for  the  only  quantifiers  appearing 
in  r(<r,  cr®)"1. 

5  Soundness  and  Completeness 

We  will  now  show  that,  given  the  above  encoding,  reach¬ 
ability  among  configurations  is  mapped  to  the  derivability 
of  their  representation  in  linear  logic,  and  vice  versa.  Con¬ 
structing  a  derivation  that  mimics  a  sequence  of  moves  in 
the  strand  world,  formally  stated  in  the  following  theorem, 
is  fairly  simple. 

Theorem  5.1  (Soundness) 

Let  S  be  a  set  of  parametric  strands  and  (<7i,crf)j,, 
(<T2,<t|)e  -  two  configurations  over  S.  If  there  is  a  move 
sequence  o  such  that 

(<7i ,  erf ) s , n P'/n] (<r2 ,  a\ ) s > s, 

for  some  instantiation  of  variables  n  with  fresh  distinct  con¬ 
stants  S',  then  there  exists  a  linear  logic  derivation  V  of  the 
sequent 

rSn;  n,1>i,<Jf)s-'  hE  3n.r(<T2,4)s  ^  0  n. 


Proof:  By  induction  on  the  structure  of  o.  If  the  move  se¬ 
quence  is  processed  right-to-left,  we  obtain  a  cut-free  deriva¬ 
tion.  Operating  forward  (left-to-right)  requires  the  use  of 
the  cut  rule  (which  can  subsequentially  be  eliminated).  □ 

In  the  above  proof,  each  move  is  simulated  by  the  appli¬ 
cation  of  a  number  of  linear  logic  rules.  This  finer  granular¬ 
ity  is  a  hindrance  when  considering  a  derivation  that  relates 
the  encoding  of  two  configurations,  and  trying  to  read  off 
the  move  sequences  that  have  actually  been  applied:  these 
micro-steps  can  be  intermingled  in  arbitrary  ways.  This 
forces  us  to  break  our  completeness  proof  into  a  number  of 
stages  aimed  at  disentangling  the  given  linear  logic  deriva¬ 
tion.  First  we  reduce  ourselves  to  a  purely  multiplicative 
setting  by  pushing  dl  and  the  quantifier  rules  at  the  bottom 
of  the  given  derivation. 

Lemma  5.2  Let  S  be  a  set  of  parametric  strands  and 
(<7 1 , <j\ )s ,  (<72,(72)5,-  two  configurations  over  S.  If  there 
is  a  cut-free  derivation  V  of  the  sequent 

r5"1;  n,  r(<7i,  erf)  5, n  hE  3n.r(<72,<7“)5, --1  0  II 

then  there  exists  an  instantiation  of  variables  n  with  fresh 
distinct  constants  S',  a  configuration  (<7o,  <7q)j,  5,; ,  and  a  cut- 
free  derivation  V  of  the  sequent 

rsn;AbSiS,  q£7n](<72,4)s^0n 

where  A  =  II,  r(<7i,  erfjj,"1,  r(<7o,  <7q)i]  s,  that  does  use  nei¬ 
ther  dl  nor  any  of  the  quantifier  rules  VI,  31,  3r. 

Proof:  We  exploit  the  relative  permutability  of  these  infer¬ 
ence  rules,  as  described  in  [25].  More  precisely,  we  apply  the 
following  four  steps: 

1.  We  permute  rule  dl  below  every  other  rule.  The  re¬ 
sulting  derivation  consists  then  of  a  sequence  of  appli¬ 
cations  of  dl  followed  by  a  subderivation  V'  that  does 
not  use  this  rule.  The  applications  of  dl  correspond  to 
committing  to  the  parametric  strands  that  will  be  used 
to  produce  (<72,  a\  )j,  -  (once  instantiated,  they  will  cor¬ 
respond  to  (<7o,<7(|)5,  j,,  )■ 

2.  We  permute  rule  31  to  the  bottom  of  V'  1  which  enables 
us  to  consider  a  subderivation  V"  that  does  not  contain 
these  rules.  These  uses  of  31  correspond  to  picking  the 
new  constants  that  appear  in  S'  beforehand. 
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rFr(cr)n  = 


r0‘#  \  c-1  =  < 


N((nA,  kA)) 

Q(uf)  ®  ( 

Q(uf)  0  N({nA,nB}kfl)  — oQ(uj)  0  ( 

Q(uj)  -o  N({nB}k|)  ®  stop)) 

stop 

stop 

Q(uf“)  0  (Q(q“)~o  N(kB)  <S>  stop) 

Q(“o)  0  ( 

Q(uf)  ®  N((nA,kA))  -oQ(uf)  ®  ( 

Q(uf)  ®  N(kB)  — o  Q(u|)  ®  ( 

Q(uf)  ^  N({nA,  kA}ke)  ®  stop))) 

{'ikB,kg1,kA,nA- 

,kA)  ®  KB^E^-g1  ,kA)  ®  Q(u®)  ®  ( 
Q(u®)  ®  N({A:J4,nJ4}j.B)-oQ(ui)  ®  ( 

Q(ui )  — °  Q(u|)  0  N({ftA,nB}itA)  ®  ( 

Q(uf )  ®  N({nB}feB)  -ostop)))) 


|  Initiator) kA,  kA  1,  k|,  nA,  nB) 

M'(  k-1) 

£>((nA,  kA),  k|,  k,  x) 

Af(kB) 

|  ®((nA,  kA),  kB) 

>  Responder)/;:^,  kg1  ,k a,  nB,  nA) 


where  rA/'n  =  3q0.Vx. 

rD~l  =  3qo,qi,q2-Vm,k,k'. 

rM~l  =  3q0.Vk. 

rE~l  =  3qo,qi,q-z.\/m,k. 


Po)^)  — °  Po(*)  0  Q(lo)  0  ( 

Q(<? o)  N(s)  0  stop) 

PrivK(A;,  k')  — o  PnvK(k,  k')  0  Q(qo)  0  ( 
Q(<?o)  0  N({m}j.)  — °  Q(<Ji)  0  ( 

Q(?i)  0  N(fc')  — o  Q(g2)  0  ( 
Q(?2)  — o  N(m)  0  stop))) 
PubK(A;)  ^3  PubK(A;)  ®  Q(qo)  0  ( 

Q(qo)  -o  N(ft)  0  stop) 

PubK(A;)  ^3  PubK(/c)  ®  Q(qo)  0  ( 

Q(go)  0  N(m)  — o Q(gi)  0  ( 

Q(qi )  0  N(k)  —o  Q(i?2)  0  ( 

Q(®) -o  N({m}*)  0  stop))) 


Figure  5:  A  Translation:  Lowe’s  attack  on  the  Needham-Schroeder  Protocol 
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3.  We  permute  rules  3r  to  the  end  of  V" ,  obtaining  a 
subderivation  D"'  that  does  not  mention  these  rules. 
The  applications  of  3r  correspond  to  hiding  S'  in  the 
overall  derivation. 

4.  Finally,  we  permute  every  use  of  Vr  down  past  every 

other  rule,  making  explicit  a  subderivation  D*  with  the 
required  characteristics.  The  applications  of  VI  com¬ 
plete  the  instantiation  of  (<7q,<7q)s  s, .  □ 


When  interpreted  at  the  strand  level,  Lemma  5.2  specifies 
that  a  move  sequence  can  be  rearranged  so  that  parametric 
strands  are  chosen  and  instantiated  before  any  message  is 
exchanged.  More  specifically,  all  uses  of  Cf  happen  first, 
followed  by  all  applications  of  Ci.  Only  then,  can  S-  and 
R  -moves  take  place. 

The  next  step  consists  in  grouping  together  the  rule  ap¬ 
plications  that  correspond  to  each  move  in  the  multiplicative 
part  of  the  given  derivation.  This  provides  a  simple  way  of 
identifying  moves  S  and  R. 

Lemma  5.3  Let  S  be  a  set  of  parametric  strands  and 
(<T2,(t|)s  two  configurations  overS.  If  there  is 
a  cut-free  derivation  V  of  the  sequent 

r,5”1;  n,  r(oi,  crf)s”1  bE  r(<T2,4)sw®  n 

that  uses  only  rules  from  the  left  half  of  Figure  3,  then  there 
exists  a  cut-free  derivation  V**  of  this  sequent  such  that 

•  Every  use  of®  r  appear  just  below  id,  lr  or  ®r; 

•  Rules  11  and  ®1  are  applied  eagerly. 


S/R 

Ci 


Cf 


Figure  6:  Completeness  Argument 


A  fine  analysis  of  this  proof  reveals  that  linear  logic 
derivations  enable  a  form  of  abstraction  that  move  sequences 
do  not  achieve.  Indeed,  the  tree  structure  of  a  derivation 
does  not  always  impose  a  total  order  on  independent  transi¬ 
tions.  This  is  a  very  mild  form  of  non-determinism  compared 
with  the  explicit  concurrency  present  in  bundles  [7].  We  ex¬ 
pect  to  get  a  model  closer  to  bundles  by  considering  graph- 
based  formulations  of  linear  logic  such  as  proof  nets  [16]. 
Furthermore,  game-theoretic  investigations  of  linear  logic  [2] 
have  produced  methods  for  obtaining  very  strong  forms  of 
completeness  which  could  be  relevant  in  this  setting. 


Proof:  Again,  we  take  advantage  of  the  permutability  re¬ 
sults  in  [25].  Rule  ®r  can  be  pushed  up  past  any  other 
rule  (except  id  and  lr).  On  the  other  hand,  ®1  and  11  can 
always  be  permuted  down,  as  long  as  the  nesting  of  sub- 
formulas  is  respected  (clearly  if  the  left-hand  side  contains 
a  formula  ( A  ®  B)  — o  C,  a  proof  fragment  that  dismantles 
this  formula  must  apply  ®1  above  — ol).  □ 

At  this  point,  we  have  the  means  to  extract  a  sequence  of 
moves  from  a  linear  logic  derivation  that  relates  the  encoding 
of  two  configurations. 

Theorem  5.4  (Completeness) 

Let  S  be  a  set  of  parametric  strands  and  (<ti,<t})s, 
(<72, <72)5,  n  two  configurations  over  S.  If  there  is  a  linear 
logic  derivation  V  of  the  sequent 

r5"1;  II,r(<7i, crf)^  bE  3n.r(<72,<7“)s  s-'  ®  II 

then  there  exists  an  instantiation  of  variables  n  with  fresh 
distinct  constants  S'  and  a  move  sequence  o  such  that 

(<7i ,  <7? ) E  1-^4‘s ,n P'/n] (<72 ,  <7^ ) Si s, . 

Proof:  The  use  of  Lemma  5.2  followed  by  Lemma  5.3  to 
V  yields  a  derivation  structured  as  in  Figure  6,  from  which 
moves  over  configuration  can  easily  be  read  off  (shown  on 
the  right  of  the  schematic  derivation).  □ 


6  Interpreting  Multiset  Rewriting  in  Linear  Logic 

In  this  section,  we  briefly  describe  how  multiset  rewriting 
techniques  can  be  conveniently  used  to  express  security  pro¬ 
tocols  (Section  6.1).  We  then  show  how  the  resulting  speci¬ 
fication  is  translated  into  linear  logic  and  state  the  expected 
correctness  results  (Section  6.2).  Finally,  we  compare  the 
linear  logic  expressions  we  derive  from  the  strand  and  mul¬ 
tiset  rewriting  specifications  of  a  protocol  (Section  6.3). 

6.1  Multiset  Rewriting  for  Cryptoprotocols 

A  multiset  M  is  an  unordered  collection  of  objects  or  ele¬ 
ments,  possibly  with  repetitions.  The  empty  multiset  does 
not  contain  any  object  and  will  be  written  We  accu¬ 
mulate  the  elements  of  two  multisets  M  and  N  by  taking 
their  multiset  union ,  denoted  “M,  N” .  The  elements  we  will 
consider  here  will  be  first-order  atomic  formulas  A(t)  over 
some  signature. 

In  its  simplest  form,  a  multiset  rewrite  rule  r  is  a  pair 
of  multisets  F  and  G,  respectively  called  its  antecedent  and 
consequent.  We  will  consider  a  slightly  more  elaborate  no¬ 
tion  in  which  F  and  G  are  multisets  of  first-order  atomic 
formulas  with  variables  among  x.  We  emphasize  this  aspect 
by  writing  them  as  F(x)  and  G(x).  Furthermore,  we  shall 
be  able  to  mark  variables  in  the  consequent  so  that  they  are 
instantiated  to  “ fresh ”  constants,  that  have  not  previously 
been  encountered,  even  if  the  rule  is  used  repeatedly.  A  rule 
assumes  then  the  form 

r  :  F(x)  — >  3 n.G(x,n) 


rA0  : 

Initiator 

-km{Ka,K^)  — 7 

A0(Ka ,  K^1),  itm(Ka ,  R'2 1 ) 

rAl  : 

Aq{K a,K^  X),  7rAi(i2g)  — » 

3Na.A! {Ka,K2\kb,Na),  H{{Na,Ka}Kb),-kai{KB) 

rA2  : 

Ai {Ka ,K21,Kb,Na),N{{Na,  Nb }ka)  — > 

A  2{KA,K2\KB,NA,NB) 

rA3  : 

a2{ka,k21,kb,Na,nb)  — > 

A3 {KA,K21,KB,  na ,  nb ) ,  N ( { Nb  }kb) 

rB0  : 

Responder 

ttbo {KB,  Kg1)  — > 

Bo  {Kb  >kbo(Kb  1  kb  1 ) 

rBl  : 

Bo(72b,  Kg1),  N({7V4, Ka}kb)iKbi(Ka)  — > 

Bi  {Ka,Kb,  K^1,  Na),ttBi  (A) 

rB2  : 

B1{Ka,KB,Kb\Na)  — y 

3  Nb  .B2{KA,KB,KgX,  Na  ,  Nb  ) ,  N  ( {  NA ,  NB  }ka) 

rB3  : 

62(124,  KByKg1,  Na,  Nb),  N({Nb}Kb)  — » 

B  3{KAyKB,K-\NAyNB) 

where 

KJ1)  =  PubK(KA),PrVK(KA,K21)  nB0  (Kb^KZ1)  =  PubK(KB),  PrvK(KB ,  KZ1) 

ttai(Kb)  =  PubK(KB ) 

ttbi(Ka)  =  PubK(K  A{ 

Figure  7:  Multiset  Rewriting  Specification  of  the  Needham-Schroeder  Protocol 


where  r  is  a  label  and  3 n  indicates  that  the  constants  that 
instantiate  n  ought  to  be  fresh.  A  multiset  rewriting  system 
72.  is  a  set  of  rewrite  rules. 

Rewrite  rules  allow  transforming  a  multiset  into  another 
multiset  by  making  localized  changes  to  the  elements  that 
appear  in  it.  Given  a  multiset  of  ground  facts  M  over  a 
signature  £,  a  rule  r  :  F{x)  — 5-  3 n.G(x,n)  is  applicable  if 
M  =  F(t),M',  for  terms  t.  Then,  applying  r  to  M  yields 
the  multiset  N  =  G{t,c),  M'  where  the  constants  c  are  fresh 
(in  particular,  they  do  not  appear  in  M),  x  and  n  have  been 
instantiated  with  t  and  c  respectively,  and  the  facts  F(t)  in 
M  have  been  replaced  with  G(t ,  c)  to  produce  N.  The  new 
signature  is  £,c.  We  denote  the  application  of  a  single  rule 
and  of  zero  or  more  rewrite  rules  by  means  of  the  one-step 
and  multistep  transition  judgments: 

Afs  — 

respectively,  where  £  and  £'  are  the  signatures  over  which 
M  and  N  are  respectively  defined.  The  labels  r  and  r  iden¬ 
tify  which  rule(s)  have  been  applied  and  the  terms  t  used 
to  instantiate  x.  Thus,  r  acts  as  a  complete  trace  of  the 
execution. 

We  model  protocols  by  means  of  specifically  tailored  mul¬ 
tiset  rewriting  systems.  We  call  this  approach  MSR.  With¬ 
out  loss  of  generality,  we  consider  here  a  slightly  simplified 
version  of  the  model  introduced  in  [6,  12].  We  rely  upon  the 
following  atomic  formulas: 

Network  messages:  Network  messages  are  modeled  by 
the  predicate  N(m),  where  m  is  a  message  being  trans¬ 
mitted. 

Role  states:  We  first  choose  a  set  of  role  identifiers 
pi , . . . ,  pn  for  the  different  roles  constituting  the  pro¬ 
tocol.  Then,  for  each  role  p,  we  have  a  finite  family  of 
role  state  predicates  {A p,(m)  |  i  =  0.../p}.  They  are 
intended  to  hold  the  internal  state  of  a  principal  in  role 
p  during  the  successive  steps  of  the  protocol. 

Intruder  knowledge:  The  adversary’s  knowledge  is  held 
in  a  distributed  way  in  facts  of  the  form  I (m),  where  m 
is  some  piece  of  information  captured  or  fabricated  by 
the  intruder. 


Persistent  information:  We  express  persistent  informa¬ 
tion  exactly  as  we  did  in  the  case  of  strands  in  Section  2, 
i.e.  by  means  of  a  multiset  II  of  ground  facts. 

We  represent  each  role  p  in  a  protocol  by  means  of  a  single 
role  generation  rule  and  a  finite  number  of  protocol  execu¬ 
tion  rules.  The  purpose  of  the  former  is  to  prepare  for  the 
execution  of  an  instance  of  role  p.  It  has  the  form 

rp o  :  7r(x)  — >  Ap0 (x),7r(x). 

where,  as  in  previous  sections,  n(x)  denotes  a  multiset 
of  persistent  atomic  formulas  that  may  mention  variables 
among  x.  Notice  how  persistent  information  is  preserved. 
The  execution  rules  describe  the  messages  sent  and  expected 
by  the  principal  acting  in  this  role.  For  i  =  0 .  . .  lp  —  1,  we 
have  a  rule  rp;+ 1  of  either  of  the  following  two  forms: 

send:  Apj  (x),  n(x,  z) 

— >  3 n.  Api+i  ( x ,  z,  n),  N(m(T,  z,  n)),  7r(T,  a) 

receive:  A pi{x),  N(m(T,  y)),ir{x,  y,  a) 

— >  Ap,+i  (x,  y,  a),  7r(af,  y,  z) 

where  rn(v)  stands  for  a  message  pattern  with  variables 
among  v.  In  the  first  type  of  rules,  we  rely  on  the  exis¬ 
tential  operator  3n  to  model  the  ability  of  a  principal  to 
create  nonces  when  sending  a  message.  This  principal  can 
also  include  some  persistent  data  a  ( e.g .  the  name  and  pub¬ 
lic  key  of  an  interlocutor),  possibly  related  to  information 
it  already  possesses  (T).  In  the  second  rule  template,  the 
principal  should  be  able  to  access  persistent  information  a 
related  to  data  in  the  received  message  y  {e.g.  the  sender’s 
public  key)  or  previously  known  information  x.  Situations 
where  a  principal  both  sends  and  receive  a  message,  or  sends 
multiple  messages,  can  easily  be  expressed  by  these  rules. 

A  protocol  is  specified  as  a  set  72  of  such  roles.  As  an  ex¬ 
ample,  Figure  7  shows  the  encoding  of  our  running  example 
in  the  MLR  notation. 

The  behavior  of  the  intruder  according  to  the  Dolev- 
Yao  model  [11,  34]  is  similarly  specified  as  a  set  of  rewrite 
rules  [6].  We  will  refer  to  them  as  T.  A  state  is  then  a  mul¬ 
tiset  of  ground  facts  S  =  II,  A,  N,  /,  where  A  is  a  multiset  of 
role  states  A pi(t),  N  is  multiset  of  messages  N(m)  currently 
in  transit,  and  I  summarizes  the  intruder’s  knowledge  I  (m). 
In  particular  the  initial  state  is  just  II,  70,  where  Io  contains 
the  information  {e.g.  keys)  initially  known  to  the  intruder. 
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6.2  Mapping  to  Linear  Logic 

The  close  affinity  between  multiset  rewriting  and  sim¬ 
ple  fragments  of  linear  logic  has  been  known  for  a  long 
time  [3,  30,  15,  19,  5].  We  extend  this  standard  correspon¬ 
dence  to  take  parameters  and  existentially  quantified  vari¬ 
ables  into  consideration.  A  generic  multiset  M  is  mapped 
to  the  tensor  product  ®  A/  of  its  constituents,  or  1  if  M  is 
empty.  A  multiset  rewrite  rule 

r:  F(x)  — >3n.G(x,n) 

is  translated  into  the  following  linear  logic  formula,  that  we 
call  rr~l: 

VT.  0F(x)  —o3n.  0G(x,  n). 

The  encoding  r7Zn  of  a  set  1Z  of  multiset  rewriting  rules  is 
the  union  of  the  translation  of  its  elements. 

Given  this  simple  encoding,  multiset  rewriting  transi¬ 
tions  correspond  to  linear  logic  derivations  and  reachability 
is  mapped  to  derivability. 

Theorem  6.1  (Soundness  and  Completeness) 

Let  71  be  a  set  of  multiset  rewriting  rules,  let  S  be  a  state 
over  signature  E,  and  let  S'  be  a  state  over  E  and  variables 
n  =  (ni...7ifc).  If  there  is  a  transition  sequence  r  such  that 

Ss^n[c/n]S'  s  - 

for  some  instantiation  with  distinct  fresh  constants  c  = 
(ci...Ck),  there  exist  a  linear  logic  derivation  T>  of  the  se¬ 
quent 

r7W;  0S  bE  3 n.  ®S" , 

and  vice  versa.  □ 

The  proof  of  this  result  follows  the  pattern  of  theo¬ 
rems  5.1  and  5.4.  In  particular,  the  soundness  part  relies 
on  a  simple  induction  on  the  structure  of  the  transition  se¬ 
quence  r.  The  completeness  direction  requires  transforming 
the  derivation  V  to  a  suitable  normal  form  before  extracting 
multiset  rewriting  rule  applications. 

6.3  Comparison 

Strands  were  originally  aimed  at  analyzing  completed  proto¬ 
col  runs  in  term  of  the  observed  causal  interactions  among 
the  participants.  Parametric  strands,  briefly  described  in 
Section  2  and  fully  investigated  in  [7],  extend  this  frame¬ 
work  with  the  possibility  of  giving  executable  specifications 
of  security  protocols.  This  same  objective  guided  the  design 
of  MSR. 

In  [7],  we  established  a  substantial  equivalence  of  these 
two  formalisms:  we  devised  a  suitable  abstraction  of  strand 
configurations  that  corresponds  to  MSR  states,  and  showed 
that  related  pairs  of  states  and  configurations  are  equi- 
reachable.  (Indeed,  strand  and  MSR  transitions  induce  an 
approximate  bisimulation  upon  them.  Were  we  to  collapse 
the  predicate  symbols  N  and  I  and  eliminate  the  MSR  in¬ 
truder  rules  that  relate  them,  we  would  obtain  an  exact 
bisimulation.)  This  is  relevant  for  security  analysis  because 
several  properties  of  security  protocols  ( e.g .  secrecy)  can  be 
phrased  as  reachability  problems. 

Our  results  in  Sections  5  and  6.2  show  that  both  strand 
constructions  and  MSR  can  be  expressed  in  linear  logic  in 
such  a  way  that  reachability  corresponds  to  derivability.  A 
close  inspection  of  our  translations  reveals  however  substan¬ 
tial  differences  in  the  resulting  formulas.  First,  a  parametric 


strand  is  mapped  to  a  single  reusable  linear  logic  formula, 
while  the  corresponding  notion  of  role  in  MSR  yields  a  sep¬ 
arate  multi-use  clause  for  each  message  transmission  or  re¬ 
ception,  plus  one  to  account  for  role  generation.  Second, 
all  quantifiers  appear  at  the  head  of  the  translation  of  a 
parametric  strand,  while  they  are  distributed  among  sev¬ 
eral  clauses  and  possibly  nested  within  connectives  in  the 
case  of  MSR.  Standard  linear  logic  equalities  are  insuffi¬ 
cient  to  prove  the  equivalences  of  these  mappings.  In  fact, 
these  translations,  although  faithfully  capturing  correspond¬ 
ing  behaviors,  are  not  logically  equivalent.  This  leaves  us 
with  following  partially  completed  diagram: 

[7] 

MSR  •* - ►  Strands 


LL  -* - — - «-  LL 

Although  MSR  and  strands  agree  on  basic  secrecy,  they 
might  possibly  differ  on  more  refined  security  properties  such 
as  perhaps  Lowe’s  notion  of  agreement  [27,  28]  or  Schneider’s 
definition  of  precedence  [37,  36].  We  suspect  that  a  fine 
analysis  of  the  relationship  between  MSR  and  strands  in 
the  framework  of  linear  logic  may  expose  such  differences. 

7  Conclusions 

This  paper  may  be  seen  as  a  companion  to  [7],  where  we 
showed  that  as  far  as  the  basic  secrecy  property  is  concerned 
(more  precisely,  reachability),  strand  spaces  [13]  and  mul¬ 
tiset  rewriting  with  existential  quantification,  MSR  [6,  12] 
are  equivalent  settings  for  the  Dolev-Yao  model  of  security 
protocol  analysis  Multiset  rewriting  is  known  to  be  closely 
related  to  certain  fragments  of  linear  logic  [3,  30,  15,  19,  5]. 

Another,  direct  representation  of  strand  spaces  in  linear 
logic  is  introduced  in  this  paper  and  shown  to  be  sound  and 
complete.  Linear  logic  theories  obtained  by  this  encoding 
are  not  to  logically  equivalent  to  the  linear  logic  theories 
related  to  MSR ,  in  general.  This  raises  the  possibility  that 
strand  spaces  and  MSR  might  differ  on  complex  properties 
of  protocols  beyond  basic  secrecy.  We  propose  linear  logic 
as  an  appropriate  logical  setting  for  expressing  properties  of 
protocols,  motivated  by  a  natural  way  in  which  linear  logic 
deals  with  computational  state. 
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